Filesystem, Security, Privacy, and Anonymization Features in Nitrux

In today’s tutorial, we’ll check all the filesystem, security, privacy, and anonymization features in Nitrux.

Difficulty: ★☆☆☆☆

📜 Table of Contents

Default Security Policies in Nitrux

Nitrux enables the following security features and policies by default and any encryption capabilities (enabled by Nitrux™).

Features:
- Application sandboxing.
  - AppImages and other executables.
    - AppArmor.
    - Firejail.
  - Flatpaks.
    - Bubblewrap.
- Network security.
  - Firewall (UFW), using Plasma Firewall.
  - OpenVPN support.
  - OpenConnect support.
  - Wireguard support.
  - DNS-based Ad blocking, using dbab.
- Filesystem immutability and root directory intrusion detection.
  - See XFS Features and Root Immutability in Nitrux.
  - See Using and Configuring AIDE.
- Password management.
  - KWalletManager. KWalletManager is a tool to manage the passwords on your system.
    - 🔰 Information: To use KWalletManager with GPG keys, we recommend creating a key using KGpg. To do this, see our tutorial on How to use KWalletManager in Nitrux.
Policies:
- Disable core dumps. Core dumps are created for diagnosing and debugging errors in Linux applications. However, core dumps may contain sensitive info, such as passwords and user data, including PAN, SSN, or encryption keys. Also, they take up a large amount of disk space too.
- Stricter password expiration date. Passwords are the primary key to accessing an account, related services, and data, and therefore, they need to be protected via a strong password and password expiry policy. The default expiration date of passwords in Debian is 99999 days; ours is 1111.1 times shorter.
- Increment in hashing rounds for passwords. With over 60k rounds, it is more difficult to brute force the password; by default, Debian uses 5000 rounds, which is too low for modern hardware.
- Passwords use SHA-2 512 encryption. Contrary to Debian, which uses yescrypt by default.
- Increment in complexity for new passwords. This rule is not enforced in Debian, but it is enforced in Nitrux starting with version 2.8.1.
- Deactivate the root account in the Live session and on the installed system. By default, Nitrux does not add or enable a password for the root account. Any administrative tasks performed by the user must be done through the use of sudo.
- Enforce a stricter password quality policy. By default, we use libpwquality to increase user account security. Users must use a password over eight characters long, including uppercase, lowercase, numbers, and symbols, with sufficient randomness when creating a user account. This policy is enforced during installation and for user accounts created post-installation.

XFS Features and Root Immutability in Nitrux

The root partition will use the XFS filesystem. Also, this XFS formatted partition will use the following additional filesystem features (enabled by Nitrux™).

Allow inodes to be placed at any location on the filesystem. Storing a file’s inode in the exact location as the file’s data leads to improved performance.

Since Nitrux 2.6.0, the root directory is default set to be immutable, meaning no changes occur to its contents. This change allows us to provide new versions of the distribution with a higher degree of certainty that no changes have occurred to the root that might cause a conflict. We also want to avoid sudden issues from upgraded packages coming from a different origin than our repository, which we have a minimal way of controlling. However, we understand that there may be cases where users need to change something in the root directory.

⚠️ Important: Avoid writing data to the root as a user while using the command below, as this will cause an error when exiting the shell session that overlayroot-chroot will create. Any changes to the root directory should be explicitly done only through the shell session after running overlayroot-chroot.
- ⚠️ Important: It’s essential to mount and then unmount /dev; otherwise, stuff like the CLI text editor we include in Nitrux (micro) will not work.
🔰 Information: After making the desired modifications, type sync and exit.

sudo overlayroot-chroot
mount -t devtmpfs dev /dev

# (... do stuff...)

umount /dev
sync
exit

For the changes to be applied to the overlay, i.e., the upper directory, the computer must be rebooted, or the kernel must be loaded again using Kernel Boot (where supported); otherwise, any modifications won’t be visible.

Alternatively, users can temporarily boot with the immutability disabled. To do that, do the following steps.

⚠️ Important: We must stress that the preferred method to modify the root is the above. If you know what you’re doing, use the method below at your own risk.
- Press E in the GRUB boot menu.
- Using the arrow keys, navigate to the bottom and search for the kernel parameter overlayroot=tmpfs:swap=1,recurse=0, and change the parameter to overlayroot=disabled.
- To continue the boot process, press F10.
- After making the desired modifications, reboot.

Using and Configuring AIDE

Since Nitrux 2.6.0, the distribution’s root directory is immutable by default; however, in Nitrux 2.8.1, the distribution includes the Advanced Intrusion Detection Environment or AIDE as an additional security feature. “AIDE is an intrusion detection system that detects changes to files on the local system. It creates a database from the regular expression rules that it finds from the config file.” AIDE can also be configured to monitor other directories; please check the AIDE manual.

⚠️ Important: The commands below create, copy, edit, or move files in the root directory; see XFS Features and Root Immutability in Nitrux.

To start using AIDE, run the following command. The command below will create the database AIDE uses to compare file changes.

⚠️ Important: Creating the AIDE database will take several minutes. Do not stop the process, i.e., do not close the terminal window, log out, shut down, or reboot the computer, or the process will have to be restarted.

aide -i -c /etc/aide/aide.conf

Next, install the newly generated database with the following command.

cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db

After creating the database, users can run the commands below to look for changes in the root directory.
- Run the following command to check the database after adding or editing a file to the root.

aide -C -c /etc/aide/aide.conf

Run the following command to check and update the database after adding or editing files in the root.

aide -u -c /etc/aide/aide.conf

Online Anonymization using Tor and DNSCrypt-Proxy 2

Since Nitrux 2.8.1, the distribution includes Tor, Torsocks, and DNSCrypt-Proxy 2 to help users protect their online presence.

Configure Torsocks in Plasma

To use Tor (via Torsocks) in Plasma, do the following.

Go to System Settings>Settings>Proxy and select Use manually specified proxy configuration.
Go to SOCKS Proxy, type localhost, select port 9050, and click the Apply button.
- ⚠️ Important: Not all applications will use this proxy setting. In particular, Firefox and Chromium or anything derived from them. Some applications may allow the proxy to be configured in their settings.

Configure Torsocks in Firefox

To use Tor with Firefox, check “Connection settings in Firefox” on the Firefox Support website.

Select Manual configuration, then in SOCKS Proxy, type localhost, select port 9050, and check SOCKS v5.

Configure DNSCrypt-Proxy 2 system-wide

To use DNSCrypt-Proxy 2 system-wide, do the following.

First, replace the listen address that DNSCrypt-Proxy 2 uses by default.
- ⚠️ Important: The commands below create, copy, edit, or move files in the root directory; see XFS Features and Root Immutability in Nitrux.

sed -i 's+:5300+127.0.0.1:53+g' /etc/dnscrypt-proxy/dnscrypt-proxy.toml

Then, kill the service for dnsmasq as it will conflict with DNSCrypt-Proxy 2 and the process because it will not allow DNSCrypt-Proxy 2 to use port 53.

sudo rc-service dnsmasq stop
sudo killall dnsmasq

Run the DNSCrypt-Proxy 2 command in the background.

sudo dnscrypt-proxy -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml &

Next, go to System Settings>Connections>IPv4 and select Automatic (only addresses) as the method.
Then, enter the local host address, or 127.0.0.1, in the field DNS Servers. Repeat for IPv6 and click the button “Apply.”
Restart the service for NetworkManager.

sudo rc-service network-manager restart

Test that the DNS resolving is working. To test, run the following command.
- Verify that the resolver is not the ISP.

dnscrypt-proxy -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml -resolve nxos.org

Finally, to test using a web browser, by default Firefox, go to the following website, DNS leak test, and click “Extended test.” Like before, check that the resolvers are not your ISP.
- Optionally, create a service file that starts DNSCrypt-Proxy 2. To create services for OpenRC, see our tutorial, How to create service files in Nitrux pt. 1: OpenRC.

Ad-blocking in Nitrux using dbab

Since Nitrux 2.9.0, the distribution includes dbab, a DNSmasq-based ad-blocking utility using Pixelserv. “dbab provides a solution for the SOHO service environment and smoothly integrates DHCP, DNS, local caching, and Ad blocking into harmony. Adblocking is done by DNSmasq + Pixelserv, i.e., done at the DNS level — all requests to ad sites are blocked right there at DNS.” Features include the following.

Work at the DNS level. Leave the web pages intact, without pattern matching, string substitution, or/or replacing HTML elements.
Serve instantly. All ads will be replaced by a 1×1 pixel gif image served locally by the dbab-svr pixel server.
Maintenance free. You don’t need to maintain the list of ad sites yourself. The block list can be downloaded from pgl.yoyo.org periodically. If you don’t like some of the entries, you can quickly add to or remove them from that list.

To download an updated block list, run the following command.

⚠️ Important: The command below creates, copies, edits, or moves files in the root directory; see XFS Features and Root Immutability in Nitrux.

dbab-get-list

To manually add or remove a domain from the block list, edit the following file.

⚠️ Important: The command below creates, copies, edits, or moves files in the root directory; see XFS Features and Root Immutability in Nitrux.

micro /etc/dnsmasq.d/dbab-map.adblock.conf

After any changes to the block list, restart the dnsmasq service. To do this, run the following command.

sudo pkill dnsmasq
sudo rc-service dnsmasq restart

File Encryption in Nitrux

Nitrux provides multiple ways to encrypt data, including block-device using dm-crypt; see Installing Nitrux, filesystem-level using f2fscrypt and userland encryption tools like fscrypt and Plasma Vaults.

As its name suggests, Plasma Vaults is tightly integrated with Plasma Desktop and can be accessed from the system tray.
- To create a new vault, click the system tray applet, then click ‘Create a new vault’ and follow the setup wizard.
- Plasma Vault supports the following encryption “engines,” CryFS (default), EncFS (suitable for offline use), and gocryptfs (recommended).
A non-GUI option is fscrypt. fscrypt (not to be confused with f2fscrypt) is a tool for managing the native file encryption support of the ext4, F2FS, and UBIFS file systems.

Using F2FS Features in Nitrux

Since Nitrux 2.8.0, the home and /var/lib partitions will use F2FS instead of XFS. Also, these F2FS formatted partitions will use the following additional filesystem features (enabled by Nitrux™).

Compression using zstd with compression at level 6. The primary goal is reducing writes to extend the flash lifetime and, potentially, a slight increase in performance.
Verification of compressed blocks using a checksum to avoid corruption.
Enable a better garbage collector and asynchronous garbage collection.
Avoid synchronously updating access or modification times, which improves I/O performance and flash durability.
Native F2FS file encryption. Encryption is applied at the directory level, and different directories can use different encryption keys. To use F2FS’s native encryption support.

Native File Compression in F2FS

F2FS allows the user to compress directories on-demand; to do this, run the following command.

chattr -R +c $DIRECTORY

Native File Encryption in F2FS

F2FS allows the user to use its native encryption capabilities through f2fscrypt and fscrypt.

If using f2fscrypt, do the following.
- First, create the key in the keyring using a simple salt (or generate a random salt).

f2fscrypt add_key -S 0x1234
Enter passphrase (echo disabled):
Added key with descriptor [28e21cc0c4393da1]

Then, use it to set the policy for the directory to be encrypted.

f2fscrypt set_policy 28e21cc0c4393da1 /encrypted/dir
Key with descriptor [28e21cc0c4393da1] applied to /encrypted/dir.

After each reboot, the same command can be used to set the key for decrypting the directory and child directories.

f2fscrypt get_policy /encrypted/dir/
/encrypted/dir/: 28e21cc0c4393da1

If using fscrypt, do the following.
- - 🔰 Information: fscrypt is the preferred option over f2fscrypt; while both can manage F2FS native encryption features, f2fscrypt is deemed missing many essential features and is no longer actively developed.
- Run fscrypt so that it creates its configuration file and work directory.

sudo fscrypt setup

Then, run the following command since the file system on which encryption is to be used is not the root file system.
- Where $MOUNTPOINT is where the file system is mounted, e.g.,/home.

sudo fscrypt setup $MOUNTPOINT

This creates the $MOUNTPOINT/.fscrypt directory to store fscrypt policies and protectors.
- ⚠️ Important: Never delete the .fscrypt directory; otherwise, ALL access to encrypted files will be lost.

That’s it; this concludes today’s tutorial.

Post Views: 802